localskills.sh acts as a SAML Service Provider (SP). It supports any SAML 2.0–compliant identity provider, including Okta, Azure AD, Google Workspace, and OneLogin.

Configuring SSO requires the team owner role. Users who authenticate via SSO are automatically provisioned as team members.

Provide the following values to your identity provider. Replace {tenantId} with your team ID from the SSO settings page.

SP Entity ID

https://localskills.sh/api/auth/saml/{tenantId}/metadata

ACS URL

https://localskills.sh/api/auth/saml/{tenantId}/acs

SP Metadata URL

https://localskills.sh/api/auth/saml/{tenantId}/metadata

There are three ways to configure your identity provider in localskills.sh:

1. Metadata URL (recommended) — Enter your IdP's metadata URL. Must be HTTPS and under 256 KB.

2. Metadata XML — Paste the full SAML metadata XML document from your IdP.

3. Manual configuration — Provide the IdP Entity ID, SSO URL, X.509 certificate (PEM format), and an optional SLO URL.

Whitelist one or more email domains for SSO (e.g. example.com). Only users with matching email domains can sign in via SAML.

Multiple domains are supported. Domain uniqueness is enforced across all teams — a domain can only be claimed by one team at a time.

Enable “Require SSO” to force all team members to authenticate via SAML. Users who have not linked their account through SSO will be prompted to do so on next login.

You can configure a default role — admin, member, or viewonly — for users provisioned through SSO.